Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-50447

Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

Published

2024-01-19T20:15:11.870

Last Modified

2024-11-21T08:37:00.967

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

Weaknesses

Type: Primary
CWE-94
Type: Secondary
CWE-95

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	python	pillow	≤ 10.1.0	Yes
Operating System	debian	debian_linux	10.0	Yes

References

http://www.openwall.com/lists/oss-security/2024/01/20/1 Mailing List, Third Party Advisory ([email protected])
https://devhub.checkmarx.com/cve-details/CVE-2023-50447/ Third Party Advisory ([email protected])
https://duartecsantos.github.io/2024-01-02-CVE-2023-50447/ ([email protected])
https://github.com/python-pillow/Pillow/releases Release Notes ([email protected])
https://lists.debian.org/debian-lts-announce/2024/01/msg00019.html Mailing List, Third Party Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2024/01/20/1 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://devhub.checkmarx.com/cve-details/CVE-2023-50447/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://duartecsantos.github.io/2024-01-02-CVE-2023-50447/ (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/python-pillow/Pillow/releases Release Notes (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2024/01/msg00019.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)